 for another year here in Las Vegas with his white tigers and his magic tricks. It's Siegfried and Roy. Thank you. Thank you. Thank you. I'll be here all week. Hi, I'm Bruce Schneier and I tried dyeing my pony-to-hair purple for this event, but it really didn't take very well. Yeah, I know you need to bleach it first. I don't actually have enough hair to risk bleaching it. So I believe if you could go out in the sun and stare close, it sort of works. We might try again tonight. So generally the format for this, as it's been, is I answer questions. Usually you guys ask all the good questions, so I'm happy to open the floor. No. Come now. There we go. Is there anybody at the con selling Secrets and Lies? I don't know. The vendor area hasn't opened yet. Sometimes there are booksellers. Often there are, you know, alternative booksellers. I mean, Secrets and Lies, this isn't the book I published last October. So since when I saw you guys last? And now, at a new book out, it's called Secrets and Lies, and it is a general security book, as opposed to a cryptography book. It came out in October last I checked. It sold about 80,000 copies. And it's available at, you know, all major bookstores nationwide. So there's less reason. Oh, good. So I can wave it around. This is not me on the cover. As some people think, actually my mother thought this was me. This is some random actor and it's a stock photo. But no, probably not. Often here we don't have real booksellers. I mean, mainstream booksellers. I guess those are less real booksellers. But, you know, Amazon has it and all the other, you know, big evil corporate chains. The question about the NASDAQ and Glitches in the past three months, the answer is probably. It's often really hard to tell. One of the things I end up doing a lot in cryptogram is sort of trying to decipher the news stories. And one of the biggest problems I have as a security guy is that a lot of the stuff is not made public. It's very hard to learn from other people's mistakes because they keep their mistakes quiet. You know, it's real different from, you know, if a 747 drops out of the sky. We all know it happens. There's a multi-hundred page publicly available report on the accident and what caused it and how to make it better. And we don't get anything nearly like that information for computer security events. You know, were there really two glitches at NASDAQ? Probably. Do we know for sure? No. Do we know what caused them? No. Are we going to find out? No. Do we want to know? Yes. You know, this to me is sort of a major problem in actually getting computer security better because we just don't have good information. There was another hand that was there. What is my background? I thought you also know that. The background looks like, I don't know, some cheap black velvetoid thing. And what kind of questions? I don't know. I'm surprisingly opinionated. But I usually get the crypto questions and then some random security questions. You'll get the hang of it. Other people sort of let you know what to ask. There was something way in the back of PKI. Actually, I'm going to answer the question sort of in two ways. One of the cool things about being a writer is that you're going to write stuff down and you never have to say it again. And I don't mean this in anything negative. But, you know, as someone who does a lot of writing in security, I get to figure out what my thoughts are, put them in a coherent form, put them on paper and say done. And a couple of years ago, I did, Carl Ellison and I, he works for Intel, did a paper called Ten Risks of PKI. We believe that PKI is basically a sham. It doesn't provide any security. You know, the security provides is very minimal. It doesn't actually work the way it's advertised. And it's sort of one of the big embarrassments of cryptography right now. And rather than spend an hour explaining to you why that's true, I urge you and anybody else interested to read the essay. It's on the counterpane website. Counterpane.com is my company. Counterpane.com is the URL. Up in the upper menus, you'll see Counterpane Labs, which is the research arm. And then if you've wandered your way through through publications, you'll find the paper Ten Risks of PKI. And there I sort of outline in excruciating detail. I mean, enough detail that all the PKI companies have written rebuttals to it. Why I think PKI doesn't work. And what, if anything, could be due to fix it. Carl and I are in the midst of rewriting that paper. Because there actually were some good comments in the various rebuttals. And we're going to incorporate them and answer them. And, you know, our position doesn't modify a lot. But there's a lot of new things to say. There's a lot more information, a lot more lessons to be learned. There. Well, thank you. This isn't one of those on page 76, you said A, things. Okay, good. You know, it's a good question. And people didn't hear it. I've said, and I said it a lot, I said it yesterday at Black Hat. And I think people are the major security problem. And in fact, it's a lot of it's not about the technology. And one of the reasons I move from cryptography into computer security is I'm building this really cool math that's not actually solving the problem because it gets screwed up in implementation. And one of the things I believe is missing is detection response. In the real world you have prevention detection response. And if you wander around the real world, detection response ends up working a lot better. And I started a company to do this a couple of years ago. One of the things he alluded to, if you look at prevention as a security measure, it's very fragile. And we see this again and again as we wander through our daily lives. You go to sleep one morning, you're secure, you wake up in the morning, someone published four new bind vulnerabilities, you're completely insecure and it's nothing you did. Security is very fragile. Because once it's broken, you lose it. The question is, can we make security resilient? Can we make it robust? And I believe that part of that, a good part of that is detection response. But if you think about it, if you have enough pressure plates and motion sensors and electric eyes in your house, you're going to catch the burglar regardless of how he broke in. So good detection response will make individual vulnerabilities irrelevant. Because you have basically a surveillance layer. And he has a very good question. How do you implement that to deal with insiders without screwing the trust within the organization? And I always look to the real world. How do we do it in the real world? Well, we just manage. If you go to your average office, the CEO will lock his door. And here we have an internal security measure even though you were in the organization. People will log on, log off their computers. There will be safes. There will be paper shredders. There will end up being a lot of physical controls. Even within an organization. Because we all know an organization is not a single trusted entity. You know, it's naïve to think that everybody in, let's say, IBM trusts everybody else within IBM to the same degree. Because, you know, another point is that trust is a very complex social phenomenon. It's not a single binary switch. So I believe just as you have physical monitoring. And, you know, you go into a store and that cash register is physically monitored because the sales clerk might be trusted but not one whole hell of a lot. So I think we just end up doing it. And, you know, in some ways it's unfortunate because it does increase surveillance. But within an organization, you end up making decisions between security and usability, security and functionality. And as long as we have good laws in place to make sure we're not overstepping any legal boundaries for personal privacy. There are a lot of laws in the physical world what you're allowed to surveil and what you're not. The phone company used to time operators when they went to the bathroom to make sure they didn't use up too much time. That was considered illegal monitoring. So you're going to have a lot of that. You know, as the courts and the businesses jostle to figure out what's allowed and what isn't. In some ways I worry about that because the courts don't seem very privacy friendly in the last decade or so. You know, I used to think that the Supreme Court would be the one body that would, you know, do the right thing and do the smart thing. But, you know, last October I completely lost faith in that. So I don't think it'll be easy. There are no easy answers. But like anything else that involves people, it's going to be a balance. I hope I answered that question. Oh, let's go. I'm sorry? Yeah, actually my next book might be another crypto book. Interesting enough. I have a co-author and we're not going to redo applied cryptography. We're going to do a book that we're tentatively calling Practical Cryptography, which will talk more about the implementation and less about the math. Here's how you do it. Because what you do is pretty obvious, but how to do it is hard. Oh, I'm going to go right there first and then I'll go to that area. The question was about internet voting. I actually, since no one heard his plug, I'll say it. I do a monthly newsletter called Cryptogram. It's a free email newsletter. Probably a lot of you get it. Okay. Those of you who get it, you like it, right? All right. So tell the others, there are flyers for it there, there and in the back two corners by the water pitchers. You can subscribe online or you can give me a business card. I do this every month and it's a collection of interesting news tidbits I find, correcting press reports, commentaries on different aspects of security I find intriguing. I did an essay some months ago about digital, about computerized electronic elections, which I think would be an unmitigated disaster. I had a bunch of reasons why. I laid out a pretty good picture. I'm going to Brazil to do hearings in front of their government on the topic. It'd be kind of neat. And the question was, given all the responses you heard, was there anything that changed your opinion? The answer is unfortunately no. I think my opinion is based on sort of how computers work. What I advocate for those who didn't read it, I believe that that hand recounts and paper ballots are required. That as soon as you computerize something, you not only add the probability of errors, but you lose your auditability. You can get to a state where you have something you know is wrong, but have no way to get to correct. So I would like to see a paper ballot that could be computer tallied, but you can always fall back on hand tally. And that's sort of the hybrid solution I think would work. I said I would go over to this area. One than two. Do you mean in publishing the manuscript? Actually I do this a lot. I'll give you a rule to success for being a technical writer. Do not have any ego tied up in your words. It's a really good piece of advice. Before I write, before I publish anything, whether it's a book or the essays you see in cryptogram, it goes out for peer review. You know, somebody will read the essay, maybe two or three people, give me comments and I'll make changes. For books, it'll go out to hundreds of people. You know, where I'll say here, you know, this chapter is your bailiwick. Please read it. And I get back all sorts of comments, and I make major changes. And I actually do this in stages, where I'll send the book out to maybe 30 people for review, and I'll get it back. I'll send it out to 30 more. So I don't only get one set of comments, I get many sets of comments. It's iterative. And yet to me, this is the best way, because what the hell, I don't know anything. And it's not true. I don't know everything. So yes, I mean, I know you read some of my book and you gave me good comments. And people have different amounts of free time. Some do very superficial, read a chapter. Some don't do it at all. Some maybe give you back huge comments. So you know, you get a nice little bell curve and you get good information. So yeah, if you're doing a tech book, especially in computer security, where there's so many things, little pieces you don't know, I recommend. It's really a lot better to get the feedback before it's published than after. That's sort of the philosophy. There's a question up there. The question is whether I think that the current engineering software, software engineering practice, has enough, I guess, collective wisdom in how things fail, in failure modes, that things are going to get better. I guess it was the basic question. Actually, I believe the opposite. I believe things are going to get worse much faster. We're certainly not learning from, I mean, there are great examples of this. Buffer Overflows is my favorite. You know, it's a 40-year-old problem. We know how to fix it. You know, and still two-thirds of all cert advisories are Buffer Overflows. You know, we're actually not learning very much. And I've given lectures on this last year at Black Hat. I gave an hour talk on complexity. And I believe that, I mean, the amount of complexity that's being added far over shadows any additional security we're getting. There are seats up front. There are lots of seats up front. You just sort of got to walk up front and find a seat. I mean, they're all hiding them from you in the back. But I assure you I'm higher. I see them. So no, actually I think things are getting worse. And I think things are going to get disastrous. That I think there are some major, I mean, we're starting to see them. As complexity is rising, we're seeing large system-wide failures. You know, we had the California Power Grid hacked into. This wasn't possible three years ago because it wasn't on the net. So as more critical systems go on the public network, in this month's cryptogram, which is coming out on Sunday, believe it or not, I talk about computer telephone integration. And the sort of disasters waiting for us when the phone network starts getting the reliability of the internet. You know, I'm not impressed. Oh, let's go right there. You know, the whole book was a surprise to me. And I sort of said this in the forward. I'm writing the book sort of to, I mean, I wanted to write a book about general security to sort of explain how our firewall works, how an IDS works, how cryptography works, to a more general audience. Because I kept meeting idiot managers. And I wanted a book that they could read and understand. So, and the book's divided into three parts. The first part I talk about the general environment. You know, what the computer security world looks like. What is the threat? Why is internet different than the real world? Why is it the same? What the attackers look like? You know, what are our security needs? So what's the environment? Second part I talked about the different technologies, you know, ranging from cryptography and steganography and network security things and software security things. And I insulted PKI in there. And, you know, while writing this book, I kept, I started getting more and more disillusioned because I'm like not having any good news. What I'm basically saying is, well, this doesn't work. And this doesn't work. And here's why this doesn't work. And this would never work. And I don't have any, and this does work. So I actually ended up taking a year-long sabbaticals from writing the book because I didn't really want to finish a book that was so negative. And the surprise was, well, what does work? And this is where I go back to the real world. And the real world's kind of surprising because it's an inherently extremely dangerous place. And at the same time, we live in a very safe society. And trying to figure out what is it about our society that makes us safe, right? It's not that we all have personal firewalls, right? Or where body armor, which would be the equivalent. And I looked a lot at the processes of security, very different than the technologies of security, right? I'm safe at my house, not because I have an Uber door lock, right? That doesn't, that's not the reason I'm safe. It's not about the technology. So that was the biggest surprise. And it's a very general surprise. And in part three of the book, I sort of talk about solutions in very generally about different processes. I don't know. I really enjoyed writing the book. It's a fun book to read. There's good jokes in it, but you can't beat. It's cheap. Oh, let's go. How about the second one in? Yes. Yes, yes. Is it, is this the one for the the rental cars? Or is this, that's right. Okay, that's the guy where, right? Using infrared to peer through devices. Questions about wireless NATO 2-11? And that's a great example of what I'm saying. There have been a couple of papers. There's a paper out of Berkeley, which sort of said that the cryptography really stinks. And there was a paper out of, I think, University of Maryland that said basically, well, even if you fix the cryptography, these other security things also stink. As it turns out, it actually doesn't matter because the system is based on a shared password you type in. So no matter how bad those things are, the implementation is actually worse. You can brute force pretty much any NATO 2-11 network that's encrypted, you want. And in any case, most people don't bother encrypting them. So here we, this is a great example. We have an example of a system that's billed as secure because of cool encryption. We learned that the encryption is implemented badly, so it doesn't actually provide nearly the security you think it does. The protocol surrounding the encryption are implemented so badly that even if you fix the encryption, you wouldn't get nearly the security you did. The implementation is so bad that even if you fix those two things, you wouldn't get the security you think you did. And nobody implements the security anyway. So even if you fixed everything, people would use it insecurely. I mean, I don't stand a chance against these kinds of idiots. So no, nothing has changed. And you were not, this was second from the end, you were at the end, so I'm going to go to the person I wanted the first time. Actually, you have a bunch of points I want to sort of, before I forget them, I want to interrupt you to sort of do them. The first one you mentioned is prevention detection and response. There's also laws. Laws do a fourth thing. They add deterrence. Right? Some back channel. You pointed out that laws by definition are issued by governance bodies. And the internet is by nature global. I mean, I talk about this in actually chapter two of my book. It's a big difference in the internet and the real world. That the fundamental global nature of the net makes a lot of our existing system of doing laws, which are based on proximity. I mean, I walk up to you, I hit you over the head, I take your money. We know where to arrest me. We know where to try me. You don't have that same kind of proximity when someone's in St. Petersburg attacking city banks computers through France. And that is a big problem and there's no easy solution. There really isn't. It's a very big, it's a big difference. And his last point, it's a very good one, that where are, where are the lobbying groups for the hackers? Well, unfortunately, and I've been involved in this for a bunch of years, we're basically screwed. There's not a whole lot of money lobbying for personal privacy, for liberty, for freedom, for openness, for information sharing. There's lots of people lobbying for closed, for proprietary, for copyright enforcement, for draconian rules for this, that and the other thing, for surveillance. I spend a considerable amount of time doing lobbying for on the good side. And, you know, we get a lot of, we get a lot of air time. I can actually, I can get access to a congressman and talk to them in a way that a company would have to spend a lot of money in campaign contributions to get. So I do get more access because I'm on the side of personal privacy and of freedom and liberty and those are like, you know, good things. But a lot of it unfortunately is lip service. I mean, we saw this in spades in all of these, the DCMA and Napster and digital copyrights. You know, if you look at where the solution space surrounds, it surrounds where the money is. And we have a very, very hard problem. Especially now in the past, you know, to me it's last 20 or so years when lobbying dollars and lobbying to a much greater degree than before makes laws. Lawmakers are much less likely now to do what's right and much more likely to do what gets them votes or money. Actually money, because money, because you can always buy votes. Now, I don't mean that in the bribing people, but in, you know, in paying for a campaign. You know, Americans have very short memories and you just need money. And this is bad. I'm not very optimistic in the near term about us being able to maintain the freedoms and liberties we have in the real world, even maintaining them in cyberspace. You know, let alone getting new freedoms and liberties. We see this in, you know, sometimes we've won. You know, we seem to have beaten back carnivore, but it'll come back under a new name. You know, we, when the DCMA, digital lending copyright came out, I was one of the people fighting for the carve out for research. We got a carve out, but it's so badly defined that doesn't actually work. We've gotten changes in the European Cybercrime Treaty to prevent some of their more draconian surveillance ideas. But these things come back again and again. You never actually win. You know, once the government or the FBI or Disney gets a power, they never actually let go. But if we're fighting for personal freedom every time something happens, we have to keep fighting. And, you know, I wish I was more optimistic. I will continue to fight the good fight, but I am, it is a tough battle. There's a question way in the back. I will not be able to hear you. So if you move forward, and meanwhile, you had your hands up. Question is about two fish. Let's see. I forget where we were last year. Two fish, which is an algorithm I wrote, was one of the finalists for the AES, which was the government replacement for DES. And I think it was less. I think I talked about the last summer. Last spring, NIST chose a differing algorithm called Ringdall to be AES. It was one of the good ones. I think it was a great choice. I have nothing but good things to say about NIST and the process. What happens to two fish? You know, it's the same thing that happens to all the other algorithms that are out there. It's being used by some people, by some companies, on the two fish web page on the counterpane site. There's a list of products that use two fish. You know, it's out there. It won't get nearly widely as used. I will not get all the fame and glory of being chosen to AES. But it was still way fun. It's free. It's public domain, just like a good half a dozen other algorithms. So it will go on. It will probably fall out of favor in a number of years. It's still good. It's still secure. I still like it. But you know, you really want to use the standard. That's the point of standards. So, you know, if someone was saying, asking me, what should I implement, I would say implement the standard. I was supposed to implement something other than the standard. All right, now that you're closer, how do I feel about SDMI? This is the secure music, secure digital music initiative. Yeah, it's one of the watermarking techniques. I wrote about this in Crypto Game a few months ago, I think. I mean, it's just as stupid as all the others. Let's think about watermarking. It's an interesting idea. The whole notion of there's sort of two ways to do watermarking. The idea is I'll take a digital file that's lossy, you know, an image or music or video, and I'll embed identifying information in it. I can do a positive or negative watermark. I can embed information about you, the legal owner. You buy a copy of the little mermaid, it's got your name embedded in it, and you can't delete it so that if you post it on the net, Disney knows who to sue. That's one way to use a watermark. A bunch of problems with that, one, often the person who commits the crime doesn't have any deep pockets. I mean, I can go out in the street and give some street person $20, say, go in there, buy a digital copy of the little mermaid and give it to me. So now I have a copy with his name on it, no one can sue him, he doesn't have any assets. And that sort of problem pervades. Or I could steal your little copy of the little mermaid and post it. You're not culpable. So the positive watermarks, they don't actually make sense. The negative watermark is where you start putting code in the media player. If this watermark doesn't appear, don't play it. Then you put code in the copying mechanism. If this watermark appears, don't copy. Or more robustly, if a copy is made, the watermark is destroyed. And that's more the SDMI approach. This stuff is really scary. I believe the entertainment companies actually don't like computers because they're much too scary, much too general, much too useful. What they want is what I've termed an internet entertainment platform. That's what they want you to have. Very, very much. Because an internet entertainment platform, they could control. The only way to make this watermark work is to extend the control to the hardware. Because otherwise you'll be able to take it out, you'll be able to manipulate it. The other big problem is actually making the watermark robust. And that's actually very, very hard to do. We don't know how to do that yet. But even assuming you did, I came out very strongly against SDMI. You know, I thought it wouldn't work unless you had these draconian hardware changes. Now all through to the speakers of your stereo. And there was a great article in Discover a number of months ago. I mentioned in Cryptogram where some authors, you know, took SDMI to its logical conclusion. Where you'd have to have these SDMI enabled recorders and speakers. And then you also have to outlaw non-SDMI enabled recorders and speakers. You'd have to actually tag every piece of content. Otherwise the system would fail. This is a tough battle where we're fighting a lot of very, very big money. I mean, and this is companies like Disney that actually had US copyright law changed when the old Disney cartoons were going into the public domain. I mean, this is a lot of lobbying money. And they very strongly believe that digital content is the death of what they own. And they need to control it. I believe the controls won't work. They're causing us all sorts of grief. They're actually hurting computer security in a very general way. And we need, on all fronts, to fight this. I mean, the stuff that was done, you know, I did a testimony for the DCSS case for 20th century magazine. I'm constantly fighting these battles. Constantly writing and speaking about this. Because it's a big deal. You asked a question already. You didn't. Or if you did, I don't remember you. Can I explain the vulnerability and solitaire? Not without graduate mathematics. Actually, I can. For people who don't know, this is sort of a fun story. I did an encryption. This is something I've been trying to do for years. I wanted to come up with an encryption algorithm that you could use in the field. That you could implement with pencil and paper, yet would be secure against computers. The notion would be some spy in a third world country. Would need to encrypt messages back home. And would be concerned about the secret police. And for a while, I worked on algorithms that involve pocket calculators. And weird and transcendental functions. Trying to get something that was useful. And I don't know, some time it came to me that a deck of cards is actually a really cool, easy way to store a permutation. A 54 element permutation, including the jokers. And so I built an algorithm around, okay, you have an announcement? All right. Is it important enough? So I built an algorithm around a deck of cards called a solitaire. Some time around when I was finishing the work, I was talking to Neil Stevenson, who, and I told him the story, he said, cool, I put that in my next book. And that's kind of neat. So the algorithm appears in the book. I wrote, I have an appendix in Neil Stevenson. This is in kryptonamicon. I have an appendix in his book. I did a couple of book signings with him in Chicago and Minneapolis. And I learned much to my chagrin that cyberpunk writers get way better groupies than cryptographers do. Buy a lot. And so the algorithm is there. About a year ago, maybe a year and a half ago, someone pointed out that there is a, there is a bias in the output. It's not really a vulnerability. We haven't actually been able to break messages using the bias. But it's certainly something I should fix. And I am in my copious free time going to come out with solitaire too. Basically, the output is not as random as it should be because of the way the mechanisms work. There is a pretty easy fix. But actually I want to test the fix a lot more than has to the first fix. You know, once you start attaching yourself to somebody's book, suddenly you're behoove to the fiction publishing schedule. Which sort of was a surprise. But you know, there is, there's a lot of math to the vote, to the, to the vulnerability. But that's the basic intuition. There's a bias in the output. And now we pause for a very, very special announcement. I think he's going to yell at you for something. Oh, you're good. By the way, cryptographers do it mathematically. I don't know, you're the cryptographer. The question was, was it a plus or minus? So all you girls out there, flock him later. That's correct. We don't want any K girls. We want G girls. I'm sorry. No, someone else said something about copulation. Okay, I'm sorry. I thought I was putting Bruce under class or something like that. Okay. Yeah, I'm actually here to yell at you. What a surprise. It's already 1135. And this will be my second yelling of the day. There are people walking around right now, strongly encouraging you with flyers and so on and so forth to cause various mayhem and discontent within the hotel. They're also encouraging you to beat up the staff and pick on the feds. Thank you, citizen. Jay, I would strongly encourage you not to do that. I would also strongly encourage you to, as non violently as possible, discourage these individuals from doing that. We like this hotel. This hotel kind of likes us at this point. Does anyone not want to be here next year to show hands? Okay, very funny. A couple smart asses in the back. You can kick his ass later. Did you waving it? Hi, how are you? Good to see you. Okay, stand up, sir. Go ahead, sir. You had the balls to say it. Now you better back it up. Open season. Well, you see, it's kind of funny you mentioned that because obviously this speech is meant for you. It's kind of like the caution hot signs on the McDonald's coffees. We're supposed to be the bright folk, right? The uber hackers, right? You know, the smart ones. If you think you should be banging rocks together in the parking lot to make fire, the newbie track is downstairs. I mean that jokingly. My four-year-old niece can break lights and steal the soapboxes out of the bathrooms. Okay? I expect you people to be hacking the PBX. Not that I'm advocating that you hack the PBX, but at least not this hotels. I expect you to be breaking his algorithms. I don't expect you to be stealing light bulbs. And think about it. If you're stealing the soap dispensers from the bathroom, you probably should be washing your hands because you're obviously one of those guys. We have a special room for you. It's got some rope ladders and some swings, bananas. You can throw feces at each other. Kind of like the Telco guys, you know, at PacBall and stuff like that. Seriously, please. We like this hotel. This hotel has been very good to us. As I mentioned before, unless you want to be in Salt Lake City, Utah, next convention, and if you're not Mormon, take it from me. It sucks. I've been there in the dead of winter, and it sucked, and I'm not Mormon. Not that Mormonism is a bad thing. We're going to get kicked out, and that kind of stuff has just got to stop. So please, one, encourage your friends to return the lights they've stolen in the soap dispensers. You have a general amnesty on anything you've taken. Bring it to me or one of the other staff. We will not beat you. We will not get angry at you. We will not yell at you. We'll probably look at you like, what the hell were you thinking? But you can bring it back with impunity. We just want to give it back to the hotel. If you do see some wanker walking around with beat up the feds, remember they do carry guns, and you don't. And they will shoot you. And we can't do anything about that. But there's a whole Darwin thing going on there. So actually, let me take that back. Those of you dumb enough to go beat up on a fed, go for it. Open season. Please. All you feds, you got a presidential hunting license, no bag limit. You are authorized up to and including tactical nuclear devices. Again, please encourage them to stop. Please encourage them to give the stuff back. And please, con responsibly. I realize we're all a bunch of 13-year-olds of all ages. But let's be smart 13-year-olds, okay? Let's not be 4-year-olds. Are there any questions? Sorry, are there any smart questions? Anyone? Yes, sir. You need to talk to me right now. No questions? None at all? I turn it back to the very sexy Bruce. Actually, he's got a point. It's tough because we're sort of walking a fine line between what's legal and illegal, what's allowed and not allowed. Sort of where you walk the line and where you don't. So it determines whether this conference lives and or dies. And I kind of like it. And if you guys like it, stick around. Oh, actually, so you've listened. Do you know what kind of questions to ask? Where'd you go? You left. Oh, well. Guess it wasn't the right kind of questions. Oh, let's go for the red shirt. It's a real good question. People didn't hear it. He's asking about, well, if SDMA and cop protection doesn't work, certainly the immediate companies are afraid they're going to lose their content and they're going to stop producing it. So what will work? It's an interesting question. I did, there's a paper I wrote called Street Performer Protocol. It's on my publications page where I looked at this question. The basic idea is, is there any way to make money with content other than the scarcity model? But the whole model that the music industry, the movie industry is selling the each. Right? Selling the CD, selling the tape, selling the performance. And how else can you make money? Well, it turns out there are lots of ways to make money. I mean, television is a great example. Television never worked on the selling the each model. You bought a TV, you turn it on, and you got all the content for free. So there was an advertising model that made that work. You go to public television, there's a public funding model that makes that work. And you wander around, there are lots of other models. There's a recency model. Right? Bloomberg stock data is free. But if you want it in the next 10 seconds, you're going to pay for it. Another interesting model. You know, look at the Grateful Dead. Giving away concert tapes. It's okay to tape the concert, it's okay to give it away. We're going to sell the live performances, but we're going to give away the content of those performances. There's patronage funding, Stephen King saying, you know, I'm going to write this book. I want you to pay me when you download it. If you pay me, I'll write it. If you don't, I won't. But you can do that. The newspaper is a good example. You know, when you buy a newspaper, you don't actually pay for the newspaper. That quarter or 30 cents is sort of just a price of admission. It actually costs a lot more to make a paper. But it's mostly an advertising model. And it's also an aggregation model. Someone might be buying the Corsair puzzle. Someone else is buying the sports section. Someone else is buying the movie listings. But the paper is sold as a coherent whole because each part ends up subsidizing the whole. And you could go on the website and get all that content for free. But you want it in a paper form. So what you're buying is the packaging. So yes, there are lots of other models. They're different models. I believe fundamentally digital content changes the rules of content. Because bits are copyable. I'm sorry. They are. We cannot change that. It's like making water not wet. And those businesses that will thrive in the digital media age are those that align their profits with the natural laws. And not those that try to fight it with the DCMA, with SDMI, with all of these basically dykes that are trying to hold back the tide. The tide will come. So just try to think smart. How can we make money despite? I love the bands that will perform and say, you know, we want to make a CD. So we're going to, we want to pre-sell it because we need money to make it. I mean, there's an example. They could give it, they could actually actually give the CD away. In a lot of ways my book, when I was a consultant, was an 800-page business card. I would have, you know, if Wiley didn't own the rights, I would have given my book away because it got me consulting work. So yes, there are lots of other ways to make money that aren't selling the each, that aren't the scarcity model. But you've got to think about them. And unfortunately, the record companies and media companies want to protect an enormously draconian business where they screw a lot of artists, where they make a lot of money, and they do it in the way they're used to doing it, and they don't want to think differently. They want to think the same. Oh, who do I like? Let's go to someone I can hear, right there. No, you. Yes, you. No, no, no, you. Yeah, yeah, yeah, yeah. There's a couple of points I'll talk about. One is the notion of due diligence. And yes, there is one in cyberspace. We don't know what it is yet. You know, basically due diligence these days is, don't do any worse than your neighbor. You know, what does it mean when a company said, well, you know, we did do diligence. It means we bought a firewall, maybe we have an IDS. It doesn't mean we're actually secure. Because that's what the minimal standard is, right? The more interesting point you made in the beginning where you said, you know, am I calling for more law? Those are heard me yesterday. I talked about the need for law enforcement. Am I calling for more laws? I'm actually not. We're now in a society where technology changes too fast for laws to catch up. You know, back in the previous century, certainly the first half of the previous century, you had very few technological advances that happened very slowly. So you could really invent a telephone and then take five or six years to figure out what are wiretapping laws? What is, you know, what does search and seizure look like on a telephone? You know, what's there between eavesdropping and trap and trace? And that's exactly what happened. And it took a good long time. Changes are happening too fast now for that. We actually need laws that are technologically invariant. And I didn't make this point yesterday, and this is the point I actually will make when I go in front of the congressional committee on Monday. Laws need to be technology invariant. If we make technologically specific laws, they will become obsolete in a year, in two years, in six months. And in a lot of ways, we have all the laws we need. Right? Breaking and entering is a crime. We don't need a cyber breaking and entering law. We've already got a breaking and entering law. We've already got a harassment law. But we've already got laws against, oh, confidence tricking. You know, we've already got pornography laws. We don't need new ones. We don't because the internet shouldn't have different laws. It should have the same laws. They just need to be applied in a reasonable manner into this new environment. And this is going to happen more and more. Right? Peer to peer is now different. You start getting new things on the net. You know, it'll be interactive video soon. Is that different? Who the hell knows? It needs to be the same. So I'm not advocating more laws. I mean, I don't, whenever Congress starts making laws, I get worried. Because then you've got all of the lobbying. Right? You've got all the influences on the law. I'd rather have the courts figure out how to prescribe the laws. Right? How to implement the laws in a coherent fashion. I'm much more confident that will be done fairly. Nothing is perfect. We're going to be screwed little bits here and there no matter what. But I think we have a better chance of getting out of this okay if we let the courts do it rather than the, rather than Congress. Or, you know, like the president or something. You know, there's a problem of taking defense in your own hands. It's very jurisdictionally isolated. Right? Things that we can do in the United States are very different things you can do in France. Which are very different things you can do in Saudi Arabia. So those laws, you know, what is taking your defense in your own hands mean is different. I wrote a little bit about a counterattack in cryptogram like two months ago. The notion of not just defending yourself as being in a hard shell, but actually actively defending yourself, retaliating. Which is sort of what your analogy is of having a gun for personal defense. I mean, you're using an offensive weapon to retaliate against an attacker in defense. It's real hard to do on the net. You know, we can go through the technical reasons, but they're there. Presumably this will become easier. You're going to have the same problems you're going to have in the real world. I mean, what if you retaliate and you hit the wrong person? Right? That's going to be a big issue, especially on the net, where people can cloak themselves and other people, where people can steal other people's identities. So we're going to have to deal with that. I mean, what constitutes enough probable cause that a citizen can retaliate? You're going to have the jurisdictional boundaries. An attacker coming from this country versus that country, going through a third country. You know, I believe we are going to have international cyberspace laws and treaties. We have to. But still there are going to be lots of domestic sensibilities. And it'll be domestic sensibilities about content. You know, if you're a country like China or Singapore, there'll be domestic sensibilities about different moralities. Maybe you're Saudi Arabia or Afghanistan or the United States. You know, there'll be major differences in what's considered proper. And my fear is we're going to get the net that's the lowest common denominator. You know, when the government of Germany complains to eBay about having Nazi memorabilia on sale, I don't want the solution to be for it to disappear from the entire world. Because then you end up with the minimum of what everybody allows. What you want is the maximum. This is hard to do. I mean, and I don't think we're going to solve it any time soon. But those are some of the issues that you have to deal with. You know, I'd love to get your question. I'm not going to hear it unless you're really, really loud. Yeah, yeah. I don't speak sign language and my interpreter left. I know that's a yes. You know, who's the global lawmaker? Don't know. I mean, there are any number of candidates, right? You know, the UN has tried to do some of this. G7 has tried to do some of this. I can, right? I mean, the commercial world has tried to do some of this. ITF has tried to do some of this. I don't know. I mean, it's going to be some combination. You know, if you look at some of the really good global laws, a lot of them are just informal treaties. You look at GAT. You look at a lot of the maritime bills of lading. There's an enormous amount of international law involving shipping. What it means for to buy a product on their dock and have it shipped across an ocean to your dock? Who, what happens in the middle? And there's their commodities like oil, which might change ownership seven or eight times as the tanker goes from point A to point B. Now there's no global body that establishes these rules and laws. It's conventions, it's agreements, it's treaties. So you're probably going to have some sort of mishmash like that. I mean, it would be great if the world government could do it, but we ain't got no world government, and it ain't coming anytime soon. I mean, you know, the UN's going to try and they'll probably get some things done. But, you know, there's too much minutia. Yeah, and some of the, right, and some of those some of those other ways are more distributed, some of the bilateral treaties, the IETF type solutions. Yeah, and policies do in many areas of commerce that end up not being laws, but they're common practices. You get odd, you get odd collisions though. You know, there's, when a typewriter was invented, there was a lot, a number of years where we figured out what it meant to have a type written contract. If you think about it, contracts are handwritten, so you know who wrote it, and they're signed. What does it mean when a contract is typed? Can it be forged? Do you have to sign every page or just the last page? Which is actually a really good question. And there are some countries that are signed every page countries, and they're countries like the United States which are just signed the last page countries. And there were cases where there were contracts where one jurisdiction held them invalid and one jurisdiction held them valid. Because of the different rules about what it meant to sign a contract. So, I think you're going to have those sorts of distributed conventions, if not laws. Or maybe formalized into treaties, maybe just business conventions. I mean a lot of what the oil industry does are conventions. They just know how they do business, and it's the way it works. You get that a lot of trading floors. You know, go visit the New York Stock Exchange or NASDAQ. There are no, there aren't laws that govern what goes on in the pits. But there are very strong conventions. And they have dispute resolution. It's all like a government, except it's private. So, yeah, you could have some of that. And there are examples of that working and failing. The net's so tough because it's so global. I mean you guys are in it. You know, I mean everybody played by the rules, right? If everybody was a good sheep, you wouldn't need copy protection. But there are always people who are going to push the rules. And this is a good thing. I'm not saying this is bad. But you'll always have an element that'll push the rules. So they'll always be the drive to make the rules more formal and more enforceable. I have to go. It's time. I am here all weekend. Most likely I'm outside because I like, actually I like the hot sun. Again, I have flyers for my newsletter in the four corners. They're there, they're there, or you can give me a business card or email address. Thanks for listening. This is, I mean this is, this is always fun. I love doing this. Thanks.